Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Botan
(Botan_project)| Repositories | https://github.com/randombit/botan |
| #Vulnerabilities | 26 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-04-10 | CVE-2016-6879 | The X509_Certificate::allowed_usage function in botan 1.11.x before 1.11.31 might allow attackers to have unspecified impact by leveraging a call with more than one Key_Usage set in the enum value. | Botan | 7.5 | ||
| 2017-04-10 | CVE-2016-6878 | The Curve25519 code in botan before 1.11.31, on systems without a native 128-bit integer type, might allow attackers to have unspecified impact via vectors related to undefined behavior, as demonstrated on 32-bit ARM systems compiled by Clang. | Botan | 9.8 | ||
| 2016-05-13 | CVE-2016-2850 | Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1) signature algorithms and (2) ECC curves, which allows remote attackers to conduct downgrade attacks via unspecified vectors. | Botan, Fedora | 7.5 | ||
| 2016-05-13 | CVE-2016-2849 | Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack. | Botan, Debian_linux, Fedora | 7.5 | ||
| 2016-05-13 | CVE-2016-2196 | Heap-based buffer overflow in the P-521 reduction function in Botan 1.11.x before 1.11.27 allows remote attackers to cause a denial of service (memory overwrite and crash) or execute arbitrary code via unspecified vectors. | Botan | 9.8 | ||
| 2016-05-13 | CVE-2016-2195 | Integer overflow in the PointGFp constructor in Botan before 1.10.11 and 1.11.x before 1.11.27 allows remote attackers to overwrite memory and possibly execute arbitrary code via a crafted ECC point, which triggers a heap-based buffer overflow. | Botan, Debian_linux | 9.8 | ||
| 2016-05-13 | CVE-2016-2194 | The ressol function in Botan before 1.10.11 and 1.11.x before 1.11.27 allows remote attackers to cause a denial of service (infinite loop) via unspecified input to the OS2ECP function, related to a composite modulus. | Botan, Debian_linux | 7.5 | ||
| 2016-05-13 | CVE-2015-7827 | Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remote attackers to conduct million-message attacks by measuring time differences, related to decoding of PKCS#1 padding. | Botan, Debian_linux, Fedora | 7.5 | ||
| 2017-04-10 | CVE-2015-7826 | botan 1.11.x before 1.11.22 improperly handles wildcard matching against hostnames, which might allow remote attackers to have unspecified impact via a valid X.509 certificate, as demonstrated by accepting *.example.com as a match for bar.foo.example.com. | Botan | 9.8 | ||
| 2017-04-10 | CVE-2015-7825 | botan before 1.11.22 improperly validates certificate paths, which allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a certificate with a loop in the certificate chain. | Botan | 7.5 |